Leading risk culture change webinar

Leading Risk Culture Change

Linda ConradDirector of Strategic Business RiskZurich

Paul WalkerZurich Chair in Enterprise Risk ManagementSt. John's University

Johan WillaertCorporate Risk ManagerAgfa Corporate Center

MAY 15, 2013Sponsored by

Questions?

OCTOBER 17, 2012

To ask a question … click on the “question icon” in the lower-right corner of your screen.


Sponsored by


MAY 15, 2013


Sponsored by


MAY 15, 2013


Sponsored by


MAY 15, 2013





MAY 15, 2013Sponsored by

INTERNAL USE ONLY

• The culture must support challenging leadership on critical elements of strategy

• Over time, it will become an engrained process• ERM can eventually be used more tactically• Approach becomes consistent across the

business• Engages the entire organization in risk

awareness• High performance operating model achieved• Organization can consciously increase risk

tolerance levels to profit from prudent risks

Culture is key to turning risk into reward

The only real mistake is the one from which we learn nothing.

- Henry Ford

INTERNAL USE ONLY 8

Enterprise risk requires leadership

Maximize growth opportunities

Better informed decision-making

Optimize risk and opportunity balance

Reduce volatility in business results

Identify and manage key exposures

Decrease total cost of capital by increasing risk transparency

INTERNAL USE ONLY 9

Steps to leadership in ERM

Set action plan and follow-up / review periodically5

Gain support from Senior Management1

Define the scope of initiative and communicate2

Map key strategic risks and vet with stakeholders3

Conduct strategic risk assessments to prioritize risks and opportunities4

Incorporate into strategic planning cycle

INTERNAL USE ONLY

• More than just an ‘Executive Sponsor’

• Should be driven by the CEO and / or Board of Directors

• Must be a recognition of the value to the organization

• Perfect opportunity to be introspective about past / current strategy, and key lessons to help repeat successes and avoid failures

• Encompasses Risk Management / Insurance function

• “Top-down” approach maintains strategic focus

Gain support from Senior Management1

INTERNAL USE ONLY

• Will ERM be undertaken company-wide? At the BU level? On specific project(s)?

• Who are the key stakeholders in the initiative?

• What is the organization’s risk appetite?

• What time horizon will be examined?

• Objectives must be defined: How will success be determined?

• Metrics should be embedded where possible to:- Measure success / failure rate- Support an early warning system – ‘Key Risk Indicators’

• Plan communications to key stakeholders – share results (successes and failures)

Define the scope of initiative and communicate2

INTERNAL USE ONLY

Map the key strategic risks and vet with stakeholders3

INTERNAL USE ONLY

Conduct Total Risk Profiling assessments to prioritize risks and opportunities

4

Incr

easing

risk

IIIIIIIV

F

E

D

C

B

A

Frequ

ency

Severity

INCREA

SING R

ISK

• Strategic Risk Assessments seek to:

• Identify• Define• Assess• Manage

• Very important to visualize risk levels

• Supports prioritization of risks and opportunities

• Variety of methods and styles, and must be tailored to the organization

INTERNAL USE ONLY

Set action plan and follow-up / review periodically5

• Strategy and risk management actions should be set in parallel

• Actions should focus on most critical risks or largest opportunities

• Leadership should evaluate the anticipated effectiveness of risk improvements

• Ownership and accountability are key – close the gap

• Review is critical:- At set intervals (quarterly, biannually, etc.)- As significant change is experienced (leadership, underlying

assumptions, objectives, etc.)

• Measure! Measure! Measure!

INTERNAL USE ONLY

Culture change demands a C- shiftTM

State of the Union: Mismanaged risks cost money and ultimately loss in shareholder value. It can also prevent you from taking advantage of opportunities that drive innovation and growth

The more you understand the risk exposures within your business, the more you can make informed decisions to prepare for the risk and promote the right opportunities

Risk Culture With Communication: C-Shift provides the structure for dealing with risks systematically and successfully

Prepare your company to understand the need for a risk culture from the “top down” so risk can be communicated and understood. This will minimize the negative effects of risk on your capital and earning, and encourage profitable growth

INTERNAL USE ONLY

Embed a proactive corporate risk culture

Build a Risk Culture prior to implementing a Risk Framework 1.Communication: Make a Commitment to Stakeholders about an “Open Environment” on risk culture and management. This includes employees, shareholders, partners, customers.

2.Leadership: Positive Messaging “Tone from the Top” and ownership of ERM from top to bottom of the firm

3.Growth: ERM into Action by linking the organization Risk Framework to Profit, to drive accountability

4.Sustainability: Focus on Implementing to align with long term Corporate Goals

Source: Survey by Harvard Business Review Analytic Services in conjunction with Zurich Financial Services Group (Zurich) January 17, 2012

INTERNAL USE ONLY

C-Shift: cultural shift to risk accountability

INTERNAL USE ONLY

Align Key Performance and Key Risk Indicators to business manage risk

• Key Performance Indicators (KPIs) help a firm see how it is performing in relation to its strategic goals and objectives.

• Key Risk Indicators (KRIs) are leading indicators of risk to business performance, giving an early warning to identify a potential risk event.

• Zurich uses KRIs to monitor risks are in the areas such as:• natural catastrophe risks (percentage of group shareholder

equity)• asset-liability matching (duration mismatch)• strategic asset allocation (percent allowed in investment

categories)• credit risk (weighted average credit rating)• other risks specific to business or functional areas

INTERNAL USE ONLY

Enterprise Risk Wheel

INTERNAL USE ONLY

Leadership in Risk: bridging the gap

Engage with leadership by using ERM to go beyond compliance by applying ERM tools for operational and strategic purposes

• mergers and acquisitions • business resiliency • new project and product development • customers’ risks• decisions made in the marketplace• other

INTERNAL USE ONLY

Zurich’s family of risk tools

Risk understandin

g

Total Risk

Profiling

Risk Room

Natural Catastrophe -Location risk

Profit risk

exposure

Disruption understandin

gBusiness

interruption analysis

Risk assessmen

t

Provides macro country insights, e.g. political stability, economic status, labour situation

Provides exposure information for Zurich, customer or supplier locations in respect of e.g. floods, earthquakes, windstorm, related transport infrastructure

Helps in the understanding of the level and nature of disruptions in a particular industry or a particular location from our proprietary database

Enables a company to understand its total customer or supply chain profit exposure in terms of a particular location, country or region

Helps a company model its relevant BI exposures

Formalised assessment of relevant areas which are part of the due diligence

process in sourcing

Structured approach to defining risk appetite and

prioritisation for dealing with risks in the value

chain

Visit www.zurich.com/riskroom and www.SupplyChainRiskInsights.com for more info, and search for our free app of the Zurich Risk Room in the iTunes or Google Play store

INTERNAL USE ONLY

Total Risk Profiling (TRP)

Define the risk appetite Prioritize risk scenarios and develop improvement plan

A

B

C

D

E

F

IV III II I

PR

OB

AB

ILIT

Y

SEVERITY

36

42

51

Prioritized

Develop risk scenarios Quantify financial severity and assess probability

TIM

ELIN

E!!

1. VULNERABILITY• what?• where• controls?

2. TRIGGER• how?• why?• when?

3. CONSEQUENCES• how big?• how bad?• how much?

TIM

ELIN

E!!

1. VULNERABILITY• what?• where• controls?

2. TRIGGER• how?• why?• when?

3. CONSEQUENCES• how big?• how bad?• how much?

How can you deal with risks that you don’t even know are there?

Visit www.ZurichERM.com for more information

INTERNAL USE ONLY

Proactive in the business life cycle

Zurich-sponsored HBR Survey: “Risk Management in a Time of Global Uncertainty

You know when you’re really getting good at risk management, when the company does its risk assessment at the project kickoff rather than at the end.

– Angela Herrin, Harvard Business Review Analytics Services

INTERNAL USE ONLY

Turning risk into results

After Zurich introduced an enhanced operational risk management framework

• One business unit reduced operational risk-based capital (RBC) consumption by 21.7 percent when Zurich moved from an asset-based to a risk- based approach for operational risk quantification

• The business unit then identified high risk exposures, performed a deeper assessment and developed mitigation measures.

• The unit experienced an additional reduction of 28.9 percent in operational risk capital consumption the following year.

• Operational risk capital not consumed was then available to fund profitable growth for Zurich.

INTERNAL USE ONLY

Customers Shareholders

Regulator Ratings

View of future earnings and sustainability is impacted by

perception of risk and its

management. SHV

Rating Agencies are now looking at ERM. Risk

management therefore impacting the cost of funding capital.

Rating Cost of Capital

Want well managed insurers who can manage the risks that they face.

Customer Value

Capital regimes mean that risk management is having an impact on the level of capital required.

Reputation Regulatory Capital

Management

Employees

Agents & Brokers

Enterprise risk leadership benefits all stakeholders

Risk Oversight

• Item 407(h) also requires companies to describe the role of the board of directors in the oversight of risk. Recently, the U.S. Government Accountability Office found that economic output losses from the 2007-2009 financial crisis could exceed $13 trillion. Given the magnitude of that crisis, which continues to be felt, it would be difficult to overemphasize the importance that investors place on questions of risk management. – Luis A Aguilar, SEC, Feb 20, 2013

What the prof saw…• “We’re just going to do compliance ERM.”

• CFO• “I’ve never heard any of that.”

– NYSE Board member• “Can’t criticize anything we do.”

– NYSE Chairman of the board• “We cleanse it before it gets to the board.”

– Fortune 100• “Organization’s top risk is culture and

communication.”

Board complaints

• Not getting strategy/risk info timely; no real time to digest/question.

• Says ERM but looks like silos.• ERM leader does not think broadly enough.• We do not assess board effectiveness in risk,

strategic risks, or risk oversight!• Good information…

Getting good information

– “CEOs can share only what they want to share.”

– “The question for most boards members [is this]: Are they getting good information? And I would argue that, in some cases, they are not.”

Improve transparency

• “When you have a good CEO who is open and transparent, you are able to get good [risk] information. When you don’t, it’s the board’s responsibility to create an environment where they get the information they need… and not be passive or be managed.” – Board member

Boards

• Get engaged• Do more than listen• Understand the risk culture• Ask the right risk questions

Leading Risk Culture Change Webinar

Johan Willaert Board member FERMA

15 May 2013

agenda• Risk governance and risk committee • Risk appetite and risk tolerance • Strategic and operational goals versus risk

management• Channels of communication: link with

– Internal audit– business units

Risk governance and risk committee:

• How to organize and • How to make this organisation work and make

it ‘focus driven’ with focus on operational and strategic goals

MGD11.5.10© Vlerick Leuven Gent Management School

Corporate Strategy

Management Culture

Management Architecture

Corporate Governance

Risk Management: Risk Management: Integrated Integrated ApproachApproach

Internal risks:Internal control

Financial risks

Infrastructure risks

Compliance

Intellectual property

…..

External Risks:Economic environment

Environmental hazards

Reputational risks

Marketplace risks

….

Risk appetite and risk tolerance: • to be prepared at C-suite level and • approved and monitored at board level

Strategic and operational goals versus risk management (1):

• Link risk management and better performance (see FERMA benchmarking survey 2012)

Strategic and operational goals versus risk management (2):

• Importance of & risk

culture

risk awareness

Channels of communication: link with • internal audit: (3 lines of defence)

• business units (top-down and bottom-up)

MGD11.5.10© Vlerick Leuven Gent Management School

Audit Committee

CEO + ExecutiveCommittee

The Board

Business support groups:

Business unit operations:

Group risk oversight & compliancegroup risk profile

Individual managers

Operationalrisk

managem

entERM

Different management levels have to communicate (top-down & bottom-up)

tactical level

operational level

strategic

Questions?

OCTOBER 17, 2012

To ask a question … click on the “question icon” in the lower-right corner of your screen.

Thank you for joining us!

MAY 15, 2013

INTERNAL USE ONLY

Copyright 2013

The information in this presentation was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute legal advice and accordingly, you should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances The subject matter of this presentation is not tied to any specific insurance product nor will adopting these policies and procedures

ensure coverage under any insurance policy.

Zurich Insurance Group

44